Get Informed

Participate

Dictionary

NSAKEY

At the end of August '99, Andrew Fernandes, a Canadian cryptographer with a small consultancy called Cryptonym Corporation, was debugging one of his own programs following the release of NT4 Service Pack 5.

Now it has long been known that Windows has two crypto keys. The one obviously belongs to Microsoft itself, and is there to ensure Windows can load CryptoAPI services in conformance with US export laws. But what of the second?

has meant. Well, Fernandes found, by accident, that the MS programmer or programmers had forgotten to remove the symbolic label identifying the second key (standard practice for debugging purposes). And the name of this second key? NSAKEY.

On this simple fact has grown a mountain of speculation. You see, if this key is actually owned by the NSA, it would allow the NSA to subvert your security. The NSA could implant a Trojan to replace the module which performs the encryption on your box with one that doesn't perform encryption, and a sniffer. This would be accepted by the NSA key - with the result that your network traffic would be in plaintext and sniffed by the trojaned NSA sniffer; and you wouldn't even know it.

Microsoft, however, has strongly denied any such thing. "This report is inaccurate and unfounded. The key in question is a Microsoft key. It is maintained and safeguarded by Microsoft, and we have not shared this key with the NSA or any other party." Microsoft said the key is labelled "NSA key" because NSA is the technical review authority for U.S. export controls, and the key ensures compliance with U.S. export laws.

Use of this site is governed by our Terms of Use and Privacy Policy.
Copyright 1996- Ziff Davis, LLC. All Rights Reserved.
Reproduction in whole or in part in any form or medium without express written permission
of Ziff Davis, LLC. is prohibited.PCMag Digital Group